[buug] xtreelic, maitrd, busboy, and garcon

Patrick Soltani PSoltani at iitcorporation.com
Thu Feb 5 18:12:49 PST 2004

I always assume the worst ;-). 
Since your machine is linux run the following:

"netstat -nap"
check for the daemon/port number.  If you haven't set it up, kill it.

what's the result of "ls -/" or "ps -/".  if anything other than help pages, then you're likely have been trojaned.
Check the file sizes for "ps, ls, tcpdump, netstat login sh/bash" with a good copy.

you can do "lsof -p PID" get the PID from the netstat above for the processes you're concerned with, would tell more about your processes.

The answer from lsof could be reused with rpm -qf /path/to/file to see if it's part of any rpm package or a rouge install, or remote shell toolkit, RST.

Finally get the http://www.chkrootkit.org/  and install it, run and see the output.

Patrick Soltani.

> -----Original Message-----
> From: buug-admin at weak.org [mailto:buug-admin at weak.org]On Behalf Of
> Joseph Zitt
> Sent: Thursday, February 05, 2004 1:53 AM
> To: buug at weak.org
> Subject: [buug] xtreelic, maitrd, busboy, and garcon
> http://crypto.yashy.com/nmap.php which apparently runs nmap againt the
> machine that calls it, reported the following ports as open 
> on my RedHat
> 9 box:
> 22/tcp open ssh
> 80/tcp open http
> 996/tcp filtered xtreelic
> 997/tcp filtered maitrd
> 998/tcp filtered busboy
> 999/tcp filtered garcon
> I'm puzzled by the latter four entries, since they're not anything I'm
> familiar with. Googling suggests that maitrd has something to do with
> remote process invocation, but that's from a paper written in 
> 1990 that
> may or may not be relevant.
> Does anyone know what these are? Is there any way to find out what
> programs use them? Should I be worried, and should I close them?
> _______________________________________________
> Buug mailing list
> Buug at weak.org
> http://www.weak.org/mailman/listinfo/buug

More information about the buug mailing list